Mondoo
Docs

Community Policies

Explore open source security policies by Mondoo and the Mondoo community.

Mondoo's cnspec GitHub repository is a free, open source collection of over 40 security, best-practices, and compliance policy bundles created by Mondoo and the Mondoo community. They cover a wide range of platforms and technologies:

  • Operating systems: FreeBSD, Linux, macOS, and Windows (including specialized variants for workstations and operational best practices)
  • Cloud providers: AWS, Microsoft Azure, Google Cloud, OpenStack, and Oracle Cloud
  • Containers and infrastructure as code: Kubernetes, Dockerfiles, and Terraform
  • SaaS platforms: Cloudflare, GitHub, GitLab, Google Workspace, Microsoft 365, Okta, Slack, Snowflake, and Tailscale
  • Network devices: Arista EOS, F5 BIG-IP, Juniper Junos, Palo Alto PAN-OS, and Ubiquiti UniFi
  • Network and web security: DNS, TLS/HTTP, and email
  • Other technologies: Chef Infra, EDR (endpoint detection and response), and industrial controllers (Phoenix PLCnext)

cnspec ships with default policies that automatically match the platform you scan, so there's no need to download those separately. Community policies are useful when you want to apply additional checks beyond the defaults, or run a policy that targets a system cnspec doesn't auto-detect (a SaaS tenant, for example).

Use a community policy

To scan with a community policy bundle, pass its URL to cnspec with --policy-bundle (or its short alias, -f):

cnspec scan github org YOUR_ORG -f https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-github-security.mql.yaml

You can also run a policy bundle against a local system:

cnspec scan local -f https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-linux-security.mql.yaml

When you use -f, cnspec applies only the checks in that bundle instead of the default policies.

To save a copy locally instead of fetching the URL each scan, download the bundle file and pass its path:

cnspec scan local -f ./mondoo-linux-security.mql.yaml

To learn more about working with policies, read About Policies and Manage Policies.

Manage Policies

Create, validate, upload, and manage cnspec policies across your infrastructure

Introduction

Learn how to write custom security policies to meet the special needs of your organization

On this page

Use a community policy